Pipelines and docs for updating tWAS VM Images on RHEL 9.x

[majguo]

Description

The PR addresses most of the requirements listed in #64 by providing pipelines and docs for updating tWAS VM Images on RHEL 9.x in Azure Marketplace.

Change summary

The following major changes are implemented:

• Refactor pipelines to fix some old issues (e.g., intermittent failure in resource cleanup)
• Install BigFix client for twas-nd and twas-base
• Harden the image by applying compatible rules using OpenSCAP tool
• Revert cis related pipelines and supporting files

Testing

CICD pipelines for generating VHD files for tWAS VM Images on RHEL 9.x:

• twas-base CICD
• twas-nd CICD
• ihs CICD

These generated VHD files are also used for updating the testing tWAS VM offer in PartnerCenter. The testing tWAS VM offer is successfully published and in preview, which is verified by deploying VM from both Azure Portal and solution template. The preview links for creating VMs:

• twas-base
• twas-nd
• ihs

How-To docs

Part of how-to docs of updating the VM images are located in the following PRs:

• Update steps on how to update vm image azure.websphere-traditional.singleserver#70
• Update steps on how to update vm images azure.websphere-traditional.cluster#207

The others are included in this PR.

As a result, after the above PRs and this PR are merged, instructions on how to update tWAS VM images on RHEL 9.x can be referenced from howto-update-image.md.

Partner center HTML

I drafted contents of Azure virtual machine offer as requested, they're located in:

• ihs/src/main/resources/marketing-artifacts/partner-center.html
• twas-base/src/main/resources/marketing-artifacts/partner-center.html
• twas-nd/src/main/resources/marketing-artifacts/partner-center.html

@gcharters @git4rk @m-reza-rahman @edburns, pls continue working on it when updating vm offers in partner center.

OpenSCAP reports

The scanning reports before and after compliance remediation can be downloaded from the summary of pipeline workflow, e.g.:

• scan-report-before
  
• scan-report-after
  

Note: after applying OpenSCAP rules, additional commands (e.g., waagent -deprovision+user -force) have to be executed for generating Azure VM image. The followings are what waagent -deprovision+user -force does during the execution:

waagent -deprovision+user -force
WARNING! The waagent service will be stopped.
WARNING! All SSH host key pairs will be deleted.
WARNING! Cached DHCP leases will be deleted.
WARNING! root password will be disabled. You will not be able to login as root.
WARNING! /etc/resolv.conf will be deleted.
WARNING! <admin-account-name> account and entire home directory will be deleted.
2023-02-21T00:57:42.690257Z INFO MainThread Examine /proc/net/route for primary interface
2023-02-21T00:57:42.690784Z INFO MainThread Primary interface is [eth0]

Besides, VM creation may also introduce some difference regarding to security. So I deployed a new VM with twas-base and ran the scanning again, there is only slight difference between reports, which should be acceptable:

• scan_report_vmCreatedFromHardenedImage.zip
  

Signed-off-by: Jianguo Ma jiangma@microsoft.com

[majguo]

Hello @venunathb @git4rk @edburns Could you pls review the PR? Thanks.

[venunathb]

@majguo Do we have Openscap reports links in CICD pipelines? If yes, how to access them?

I see the following on the CICD summary page, but I need help finding the ink to the Openscap report.

twas-base CICD
twas-nd CICD
ihs CICD

[venunathb]

PR review.

• Refactor pipelines to fix some old issues (e.g., intermittent failure in resource cleanup)
• Install BigFix client for twas-nd and twas-base
  $ sudo rpm -q BESAgent
BESAgent-10.0.8.37-rhe6.x86_64
• Harden the image by applying compatible rules using OpenSCAP tool
• Revert cis related pipelines and supporting files
• Redhat OS
  $ cat /etc/redhat-release
Red Hat Enterprise Linux release 9.1 (Plow)
• How to Docs
• Deploy VM using preview links.

[majguo]

@majguo Do we have Openscap reports links in CICD pipelines? If yes, how to access them?

I see the following on the CICD summary page, but I need help finding the ink to the Openscap report.

twas-base CICD
twas-nd CICD
ihs CICD

@venunathb Yes, we have. Follow steps below to access them:

1. Click to open workflow ran twas-base CICD mentioned in the PR. The Summary will be displayed.
2. Scroll down to the bottom of the page.
3. In Artifacts section, there're two links for OpenSCAP reports: scan-report-before and scan-report-after.
4. Click links to download reports.

Same steps for accessing reports for twas-nd CICD and ihs CICD.

@majguo I can access the reports from the CICD Summary page. Thank you.